Post Tue Jun 10, 2008 1:37 pm

iPhone creates mobile malware tipping point

Over on his blog, Amrit Williams discusses one of MY steadily growing concerns regarding enterprise security.

With the advance in technology, as well as the dropping prices for it, more and more users will be introducing their own devices to the network.  The iPhone is but one example of the myriad handheld devices, PDAs and the like, that are destined to create a security headache migraine.

As Amrit says, some of announcements from the Apple conference affecting security include:

• Enterprise Support (including Microsoft Exchange Integration and Office Applications) The point at which mobile and handheld devices become real issues for enterprise IT is the point at which data can be viewed and manipulated in the same way it can be on a desktop or laptop. The ability to store, forward, read, and write Microsoft Office applications eliminates the need to use a conventional computer to do real work, but creates a nightmare scenario for organizations who are still challenged by securing data on the devices for which they are responsible.

• 3G Support Fast Internet access will only increase the use of the iPhone for web browsing, on-line banking, commerce, and enterprise SaaS applications like Handheld access, for example, will be a boon to field sales people, but opens the door to increasing the number of browser-based attacks.

• GPS Support Although this may seem innocuous from a security perspective, it is clear that targeted malware is on the rise. Imagine being able to tailor a message to not only include information about the recipient but to include or reference their location.

• iPhone Development Environment In my opinion the most significant WWDC announcement has been the introduction of the iPhone as a development platform that shares APIs and tools with Mac OSX. Couple this ability to cross-pollinate malware between the iPhone and Mac OSX, with a rich media layer and an easy-to-use development environment, and you create endless fun for the legions of malware authors looking to profit from the proliferation of iPhone and Mac OS X.

According to Amrit, and I would assume most others, three very difficult things for IT departments to attain are necessary sooner rather than later.

[quote=Amrit]1. Attain Visibility Real-time visibility into assets, software and activities inside an infrastructure is the primary prerequisite for resolving the mobile assets problem. After all, how can you manage what you don’t see? Visibility must extend to mobile assets’ configurations and their actions on the network. It’s not enough to know that Bob in accounting owns an iPhone. You also need to know what software the iPhone runs, whether it is really Bob who is currently accessing confidential data, if he has rights to see this data, and whether he is doing it in a safe way.

2. Set Usage Policy As IT managers lose influence over the kinds of devices that play on their networks, the question becomes less about managing tangible assets and more about protecting information and controlling processes. This argues for a platform-agnostic policy-driven approach to information security management that encompasses both conditions and actions.

3. Enforce Policies and Controls Policies without means to enforce them have all lasting effect of New Year’s resolutions. To be effective in a world of mobile devices that come and go from the enterprise network, enforcement cannot be a matter or centralized command and control, but rules embedded in, and enforced, by the devices themselves.
Reluctant CISSP, Certified ASS